ICTU/quality-time

name: Trivy
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  build:
    name: Trivy component analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    strategy:
      matrix:
        include:
          - component: api_server
            build_path: components
            docker_file: api_server/Dockerfile
          - component: collector
            build_path: components
            docker_file: collector/Dockerfile
          - component: database
            build_path: components/database
            docker_file: Dockerfile
          - component: frontend
            build_path: components/frontend
            docker_file: Dockerfile
          - component: notifier
            build_path: components
            docker_file: notifier/Dockerfile
          - component: proxy
            build_path: components/proxy
            docker_file: Dockerfile
          - component: renderer
            build_path: components/renderer
            docker_file: Dockerfile
    steps:
      - name: Checkout code
        uses: actions/checkout@v4.1.6

      - name: Build image from Dockerfile
        run: |
          cd ${{ matrix.build_path }}
          docker build -f ${{ matrix.docker_file }} -t docker.io/ictu/quality-time_${{ matrix.component }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/ictu/quality-time_${{ matrix.component }}'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-${{ matrix.component }}.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        if: ${{ github.ref == 'refs/heads/master' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-${{ matrix.component }}.sarif'

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: 'trivy-${{ matrix.component }}.sarif'
          path: '*.sarif'